Adaware se 1.05 Using definitions file:SE1R30 08.03.2005

declares that spybot search and destroy 1.3 is spyware (180solutions) and then terminates spybot. Process guard flashes it's warning saying that adaware has tried but was blocked from terminating spybot. Adaware does indeed terminate spybot.

I tried to terminate spybot from within taskmanager but was blocked by process guard.

adaware is authorized to read and modify. spybot is protected from termination and modification (except from this killer version of adaware).

These adaware definitions make it the first time that adaware called spybot 108solution spyware and then proceeded to kill it outright.

Just in case spybot was spyware I installed a new copy of spybot and adaware called this copy spyware and killed it off as well.

Am I to make from this that process guard is unable to protect from termination? Has adaware sold it soul to the devil?

Don't recall what it was but I saw a complaint recently about new ad-aware versions allowing previously declared (by ad-aware) spyware. ie I believe it was removed from def.'s

Hi Vam, AdAware defs: Reference Number : SE1R28 16.02.2005
Hmm, not sure what is wrong there: AdAwrae and Spybot with default PG settings.
Here is my PG log.
Tue 08 - 05:51:59 [EXECUTION] "c:\program files\lavasoft\ad-aware se professional\ad-aware.exe" was allowed to run
[EXECUTION] Started by "c:\winnt\explorer.exe" [1336]
[EXECUTION] Commandline - [ "c:\program files\lavasoft\ad-aware se professional\ad-aware.exe" ]
Tue 08 - 05:53:57 [EXECUTION] "c:\tds3\ext.sys\execprot.exe" was allowed to run
[EXECUTION] Started by "c:\winnt\explorer.exe" [1336]
[EXECUTION] Commandline - [ c:\tds3\ext.sys\execprot.exe tds|tdsdll-test:c:\program files\spybot - search & destroy\spybotsd.exe ]
Tue 08 - 05:53:59 [EXECUTION] "c:\program files\spybot - search & destroy\spybotsd.exe" was allowed to run
[EXECUTION] Started by "c:\winnt\explorer.exe" [1336]
[EXECUTION] Commandline - [ "c:\program files\spybot - search & destroy\spybotsd.exe" ]
Tue 08 - 05:55:12 [TERMINATE] c:\program files\lavasoft\ad-aware se professional\ad-aware.exe [3844] was blocked from terminating c:\program files\spybot - search & destroy\spybotsd.exe [4080]

Pilli, your log indicates termination was prevented by ProcessGuard. Did Ad-Aware succeed in termination anyway? It looks like new definitions came out yesterday for Ad-Aware.

I would try this out myself, but I recently removed paid Ad-Aware SE Plus 1.05 from my system since it's Ad-Watch protection was no longer functioning as it did under the older non-SE versions and not protecting start up entries. Ad-Watch would flash red, but not indicate anything in it's logs and I found that I could delete start up entries normally protected by the non-SE versions without a deny/allow prompt, including Ad-Watch's own start up registry entry. Since Ad-Watch was the only reason I paid for their program, it was uninstalled.

I have always been a fan of Ad-Aware, but I am starting to ponder the same question Vam mentioned last.

Hi Rick, No spybot was not terminated ;D Wth the last definitions or the latest ones

Pilli

WhenU removed from defs according to these guys.
http://www.broadbandreports.com/forum/remark,12665642~mode=flat

Well I took the ad-aware/spybot s&d challege since I backed up my partition yesterday and could put it all back quickly.

I reinstalled Ad-Aware SE Plus 1.05 and loaded Ad-Watch. I gave it all the same rights I did before in my firewall and in ProcessGuard and updated to the current definition. Upon launch of Spybot S&D, Ad-Watch indeed popped up touting the process as 180solutions and prompted for allow/deny. I allowed. Upon reboot Ad-Watch crashed saying something about a corrupted process list and to close and restart Ad-watch. It appeared to function normally after that. Ad-Watch was even protecting start up entries from deletion like it was supposed to, for a change. But upon relaunch of Spybot, Ad-Watch again promted to disallow Spybot from starting touting it as a 180solutions dataminer. But running a full Ad-Aware scan yeilded nothing.

I forgot to test if ProcessGuard would protect Spybot from termination while running however. I restored my partition back, removing Ad-Aware. If you go to lavasoftusa.com, go into their support forums and search on Spybot, you'll see there are several reports of this being mentioned with no answers yet from mods or forum volunteers. You'll also see the link in that search result for the very long and heated WhenU removal discussion and Lavasoft's responses.

I guess we'll see some answers over the next few days. I might try a reinstall of Ad-Aware tomorrow if I get time and see if ProcessGuard stops the termination on my machine here.

Hi everyone.

I did some more testing.
When using adaware definition se1r30 08.03.2005 adaware kills spybot.

When using adaware definition se1r29 05.03.2005 adaware does not kill spybot.

I suppose this thread has two issues.
1 adaware killing spybot.
2 Process guard is unable to stop adaware from terminating spybot.

Note: adaware doesn't just close spybots window it actually stops it dead (per windows taskmanager)

I can remove adaware, but how do I stop it or other programs that develope this ability terminate a program that Process Guard is supposedly protecting from termination or modification??

Hi Vam, As far as I know there is no method of terminating a protected program except by another protected program that has the allow termination flag enabled.
You should try both of the following.
Remove AdAware.exe from the protection list and see if AA can terminate Spybot.
Get the Advanced Process Termination tool from here: http://www.diamondcs.com.au/index.php?page=products and test it against your protected apps. Note that two of the tests 6 & 7 if I remeber correctly, require that Secure message handling is enabled.

It will be interesting to see your results. :)

Thanks. Pilli

-{ Quote: "Hi everyone.

I did some more testing.
When using adaware definition se1r30 08.03.2005 adaware kills spybot" }-

Hi,
It's funy because I have the same definition on my system and the same program including PG. I did the same test couple of minutes ago and nothing happend. :o

Hi,

It seems that in order for Ad-Aware to kill SB process, SB has to be open and have it´s process active, otherwise if you scan with Ad-Aware, it detects nothing BUT if you have Ad-Watch running and then you proceed to open SBSD, Ad-Watch detects it and warns you inmediately and yes, this started to happen upon updating the most recet de.files: 08/03/2005. and there are already some threads in both forums Lava´s and SBSD regarding this issue.

Diazruanova

Ad-Aware is also targeting Zerospyware and Aluria for removal
both good apps accoriding to Eric Howe's list on www.spywarewarrior.com but with some questionable affiliates (IHMO) recently in the case of Aluria

Vendor:Possible Browser Hijack attempt
Category:Vulnerability

TAC index:3

Description:Possible attempt to control/redirect the browser. This object referrs to a "blacklisted" site. If the site listed is the site intended (in other words, it is set to the setting you wish it to be set to), add this listing to your ignorelist. If not, then selecting this item will reset your browser to the default setting for this item.

however going to the "more data" site shows nothing
so how do the determine a TAC?

The do show these:
Comment:(http://www.aluriasoftware.com/support)
Comment:(http://www.zerospyware.com)

why is this not in the "more information" page?

Wyrmrider

A new Definition File is in the process of being tested right now.

As soon as the report was provided to R&D this morning, 180Solutions was allowed to be installed in stealth on a test machine and tests were run. Indeed the problem that has been reported was duplicated. Steps were taken immediately to correct the problem. If you use Ad-Aware, please watch for a new Def. File to be released.

Thank you and apologies for the inconvenience.

Thanks for the information Corrine. :)

Looks like Ad-Aware fixed the Spybot S&D detection error in an updated definition file. I'm glad they fixed this issue quickly. No mention of what the problem was.

Corrine, just for the record I never had a 180solutions infection. Thanks for the update!

Which leaves us with "How was adaware able to shut down SB when it was protected by PG?". I ran the same tests and adaware did, in fact, shut down SB no matter the log saying otherwise. And this is probably an easy one but why does adaware need to modify all running applications?
I uploaded a view of my log, it says I did but, I dont see it in this preview so I hope it took.

Ad-aware has to take on some serious contenters to remove them and knows all the termination tricks in the book. It may well be that ProcessGuard did succeed in blocking some of the attempted termination requests.

Before you update the definition file in Ad-Aware try running the test with Secure Message Handling enabled for Spybot and see if that changes the outcome.

I wish I tested termination and not just launch detection by Ad-Watch. It didn't succeed on Pilli's test. Maybe different variations of protections settings affect the outcome. What are the default settings for these two apps? My system is NEVER default.... ;D

Hi all.

Adaware has fixed the SB problem with Def SE1R31.

Note: Adaware is authorized to modify and read, Spybot is protected from termination and modification (in PG).

I can't do the test of Adaware Vs Spybot using Secure Message Handling because I'm using the free edition of PG and that's not included.

I still have a copy of Adaware def SE1R30 if anyone wants to test it against Secure Message Handling.

Will the next version of spyware learn Adaware's trick in terminating a protected program?

Is the full edition of Process guard any better at protection than the free edition?

Seeya

>-{ Quote: "Ad-aware has to take on some serious contenters to >remove them and knows all the termination tricks in the book. It may well >be that ProcessGuard did succeed in blocking some of the attempted >termination requests.

I didn't pay for "some" protection. What good is termination protection if it doesn't prevent termination?

>Before you update the definition file in Ad-Aware try running the test with >Secure Message Handling enabled for Spybot and see if that changes the >outcome.

Too late, I updated and fixed the issue. But I did test it several times with secure settings and Adaware blew away PG each time. I shouldn't have to experiment with CMH, its cumbersome and not user friendly. Afterwords I ran the regtest that Jason has provided and was shocked even further to see those results. To be fair I had to permit the test to run via PG to begin with but after that it was Katy bar the door. Whew, do not want to jump the gun on the permit button. Prevx Pro, KAV 4.5 and KAV 2006 Prototype didn't even blink. AdWatch did try once or twice but was ignored. Outpost firewall held its mud after asking if I really wanted to shut it down. At least my ignoble demise would not have taken others with it.

So, if I need RD to watch PG's back what watches RD's back? Is there protection that actually does what it says?

Today (3/9/05)

I ran a full update of Ad-Aware Se and did a full update of Spybot S&D and did a full system scan with both. Neither did anything out of the ordinary. I even ran the scans at the same time and Ad-Aware did not list anything. I activated tea timer and scanned again with Ad-Aware...still nothing.

Maybe this is just a glitch with some systems??

Windows Privilege Escalation allows the following escalations of privilege :-

ASSIGNPRIMARYTOKEN
AUDIT
BACKUP
CHANGE_NOTIFY
CREATE_PAGEFILE
CREATE_PERMANENT
CREATE_TOKEN
DEBUG
ENABLE_DELEGATION
INC_BAPRIORITY
INCREAQUOTA
LOAD_DRIVER
LOCK_MEMORY
MACHINE_ACCOUNT
PROF_SINGLE_PROCESS
REMOTE_SHUTDOWN <----------- Perhaps AdAware used this one
RESTORE
SECURITY
SHUTDOWN <----------- or this one
SYNC_AGENT
SYSTEM_ENVIRONMENT
SYSTEM_PROFILE
SYSTEMTIME
TAKE_OWNERSHIP <----------- Seems pretty dangerous to me !
TCB
UNDOCK
UNSOLICITED_INPUT <----------- What on earth is this for !?!

I wonder which one Ad-Aware used to terminate Spybot S&D. I also wonder why Windows would have a "privilege escalation" function in its API. I also wonder why Windows has "create thread in another running program's workspace" and "inject code into another running program's workspace" functions in its API. ???

Sometimes, I think Windows is just far too open to ever be secure.

Hi Graphic, I cannot answer your question but there appear to be many undocumented calls, maybe AA has found yet another :)

Rodehard, I completely understand what you are saying and I also agree that secure message handling is not a user friendly experience. But Windows was never built from the ground up with security in mind and there are a ton of ways to terminate a process. Looking at the post by Graphic Equaliser, some possibly undocumented. SMH can stop some termination attempts that's all I was trying to say. I personally don't like using it either though.

I started playing with the apt.exe app Diamond offers to test terminating apps. Curiously if you protect security related apps from being read they do not even appear on the apt.exe list to be terminated and PG shows their prevention from being read as you refresh. That may offer a limited extra measure of protection against some attempts. But of course that's not going to stop another security app from reading the app if it has the rights to read other protected apps or stop all termination attempts.

The more I learn about trying to secure windows, the more I learn it's almost impossible to actually nail it down completely. All these programs are evolving, but so is PG.

Hi! All,

Fortunately I did not have "termination" problems. At least that I was made aware of via PG or any other of my security progs. But I was definitely having some problems...and the trail led to Ad-Aware (to the best of my humble non-expert knowledge).

FYI... http://computercops.biz/postt109318.html

I'm glad that Lavasoft rectified the false positive with Spybot. But how about the remaining issues with Zerosypware, and other antispyware applications?

-{ Quote: "I didn't pay for "some" protection. What good is termination protection if it doesn't prevent termination?" }-Process Guard can only provide complete termination protection if Secure Message Handling is enabled on the protected application. Otherwise the application can be shutdown with a WM_CLOSE message (which has the same effect as clicking the X button on the top right of the window). If an application has no windows (e.g. Windows services running in the background) then it cannot be affected in this way, but this does not apply to Spybot.

SMH (known as CMH in PG version 2) certainly has scope for improvement but should work with most applications in its current form and can also be used to guard against configuration changes (e.g. disabling a firewall or setting its policy to "allow everything") if these are available via a menu option.

Process Guard does not (yet) provide "Windows shutdown protection" (which would prevent applications like RegTest from restarting the system without your explicit say-so) so anyone wishing to see this added should post in the ProcessGuard v3.xxx Suggestions / Wishlist (http://www.wilderssecurity.com/showthread.php?t=53279) thread.

Hello! Everyone,

I have been having a pack of problems starting with Ad-Aware. I do not know If Ad-Aware caused most or all of my problems. The kb887742 hack...I mean patch was not very "friendly" either! And, though, at first I thought PG had gone south on me...as it turns out PG gave me the power and control I needed to deal with multiple issues.

I am the one who posted "Windows Processes Not Logging" here. I will be posting there (after I finish this) about a near complete resolution regarding my issues. A complete resolution regarding PG.

PG is a deceptively simple yet very powerful tool. I have learned to be very careful and subsequently have gained even greater control.

If it were not for PG I would still be at the mercy of the issues I was experiencing!!!!

snowfire